States probing massive data breach of Social Security numbers

By Steve Johnson sjohnson@mercurynews.com

Posted:
04/04/2014 05:30:28 PM PDT

Updated:
04/04/2014 05:43:51 PM PDT

In what could be one of the biggest data breaches in history, the federal government and authorities in several states are investigating the criminal sale of Social Security numbers, bank account data and other personal information for up to 200 million U.S. citizens.

The investigations stem from the case of Hieu Minh Ngo, a Vietnamese man who pleaded guilty last month in New Hampshire federal court to selling the data to more than 1,300 of his customers, according to a court transcript.

The breach is the latest demonstration of the growing vulnerability of personal information in the digital age, and is particularly troubling because of the involvement of Social Security numbers.

"It's scary," said Eric Chiu, president of Mountain View security company HyTrust. "That could be information used to steal our identities or drain our bank accounts."

The court records said Ngo obtained the personal data from Ohio-based U.S. Info Search through Court Ventures, a Southern California firm bought by consumer credit-reporting giant Experian in March 2012. Court Ventures' customers typically used U.S. Info Search's data to find court records.

"Ngo contracted with Court Ventures fraudulently representing that he was a private investigator from Singapore," the records said, adding that he ran a business from his home and sold the data from websites he administered.

The prosecutor in Ngo's case testified that the crook's customers had "access to the U.S. Info Search database containing 200 million U.S. citizens' information," though he said the government didn't know how many people actually had data stolen.

But that assessment was disputed by Experian.

"Although we do not know the exact number of U.S. Info Search's records actually accessed at this point, we know that 200 million is false and that the actual number is much lower," the company said in a statement on its website.

Experian insisted that it had been unaware of the breach until after it bought Court Ventures. It was only then, it said, that "the U.S. Secret Service notified us that Court Ventures had been and was continuing to resell data from a U.S. Info Search database to a third party, possibly engaged in illegal activity."

Experian stressed that none of its own data was stolen. Since learning of the crime, it said, "Experian discontinued the sales of this data immediately," has cooperated with federal prosecutors in the case and "has filed suit against the former owners of Court Ventures for permitting the sale of U.S. Info Search's data to Ngo."

However, in its own statement, U.S. Info Search suggested that Court Ventures and Experian were to blame.

"Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service," it said. "We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored."

If 200 million people were victimized, it would be among the biggest data breaches ever. In February, the firm Hold Security said it had discovered 360 million personal-account records had been stolen from several companies in attacks yet to be made public. An estimated 130 million credit card numbers were pilfered in a 2009 attack on card processor Heartland Payment Systems.

And Target has said the recent attack on its payment card information affected 40 million people in one case and 70 million in another, with at least 12 million customers affected by both breaches.

Whatever the number affected by the breach involving Experian's subsidiary, it's disturbing, said Mark Bower of Cupertino-based Voltage Security.

"Whether it's 10 million or 200 million, that's still a lot of people," he said, adding that it raises serious questions about why Ngo could have been allowed access to such information.

Given the vast number of potential victims, security expert Philip Lieberman called the breach "a declaration of war" on the U.S. and said it was appropriate for the government to be taking the matter seriously.

Reuters said the attorneys general of Connecticut and Illinois are among the state prosecutors looking into the breach. It's unclear if California is involved. Nick Pacilio, spokesman for California Attorney General Kamala Harris, said his agency doesn't comment on investigations.

if your social security number is stolen
Here are steps the Social Security Administration says you should take:
1. Report the theft to the Federal Trade Commission by going to this website, www.idtheft.gov, or calling 877-438-4338.
2. If you have tax concerns because someone has stolen your identity, report it to the Internal Revenue Service at www.irs.gov/uac/Identity-Protection or calling 800-908-4490.
3. File a complaint online with the Internet Crime Complaint Center at www.ic3.gov.
4. Monitor your credit report periodically. You can get free credit reports online at www.annualcreditreport.com.
5. If necessary, the Social Security Administration will sometimes issue a new Social Security number